Access control on W3C httpd server

Peter Lord (plord@perrin.demon.co.uk)
Wed, 30 Apr 1997 19:50:39 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: John Sheehy: "Re: Digital UNIX/Irix mesg problem"
Previous message: Dean Gaudet: "Re: mod_proxy problem in Apache v1.2b8"

I came accross this problem recently when using the CERN server. I
couldn't find any referrences to it ... but I guess this *must* be
well known. Still, better to speak up than to keep quiet.

My server has the following in the config file :-

Protection secret {
AuthType Basic
ServerID mine
PasswdFile /httpd/config/passwd
GroupFile /httpd/config/group
POST-Mask secret_group
GET-Mask secret_group
PUT-Mask webmaster
}

Protect /secret/* secret

Which works fine. When the client tries to access
http://www.site.co.uk/secret/index.html, for example, the password
box pops up.

However, if the client tries to access
http://www.site.co.uk//secret/index.html (note the double slash), the
server happily serves the document out.

Until I manage to have a dig around the sources, my tempory
workaround is to add :-

Protect //secret/* secret

Whick seems to work (regardless of how many extra slashes are slotted
in).

BTW, my source tree is the last available from CERN with a couple of
local mods (syslog logging + BROWSE support for AOLPress) - I havn't
touched anying which would effect this.

Comments?

Thanks,

Pete

Next message: John Sheehy: "Re: Digital UNIX/Irix mesg problem"
Previous message: Dean Gaudet: "Re: mod_proxy problem in Apache v1.2b8"